Has anyone had experience in utilizing their SIEM solution as part of incident response? I'm looking for systems that go beyond SEM and log aggregation/archiving. Something like MARS, eIQ, QRadar, ArcSight, etc... Comment on ease of use, time it saved, etc. I'm trying to build business cases for SIEM for customers under PCI and GLBA.

Have you researched any ROI documents from these solutions? This may give some hard facts as well. Also, you may want to ask a third-party vendor(s) for this information as well since they probably have a vast amount of customers that have bast information with them.

Hi there,to really go beyond, start thinking about create rules that can say something to your company. Something like: If you could generate incidents from diferent logs and prove a fraud by combining them, you are in the right path. But always keep in mind to be focused where your company does the money or loose the money.From there you can attract managers and directors attention. I've done this way and now everytime we detect an incident we are heard.And no matter wich tool you choose to be your SIEM, the response quality is the object to be achieved.As an example: If you get hit by a DDOS, your SIEM will not be able to handle so much trafic logs from the firewall and the same will happen to your IPS/IDS. But if you can say: we are loosing money, because I got multiple logins to our sales portal using the same userid/password and the responsible for this userid was fired 3 months ago.This will attract their attention for sure!

Well I use Envision and Arc Sight. I would say Arc Sight is far better product than any other SIEM in the Market ( you should check with arc sight for various tools/appliance they offer But it has to depend lot on your company budget and needs.

SIEM gives you a true picture of how your network is being used, and by whom. It independently monitors your network to verify security policies, to generate alerts for possible compliance breaches, and to analyze and report on network performance. There are 3 core areas.

munch137 wrote:Has anyone had experience in utilizing their SIEM solution as part of incident response? I'm looking for systems that go beyond SEM and log aggregation/archiving. Something like MARS, eIQ, QRadar, ArcSight, etc... Comment on ease of use, time it saved, etc. I'm trying to build business cases for SIEM for customers under PCI and GLBA.

I'm a big fan of OSSIM which uses a slew of open source tools, Snort, Nagios, OpenVAS, etc., and one of the main reasons why I like it is that you could easily program slash tailor it to do what you need it do it unlike other closed source (Windows) applications. With that said, SIEM for incident response means little if your staff isn't vigilant on monitoring what is going on. For example, let's imagine a new 0day on the market. Most SIEM's, IDS' (which are the core of SIEM anyway), IPS, etc., won't have the proper signatures to detect what is going on. An event will solely be an anomaly. Is your staff vigilant enough to investigate further?

With OSSIM, SIEM goes a little further in my opinion. Not only are you capable of the typical "assessments" you can use it to alert yourself and tailor responses. E.g.: If EventA then Perform ActionB it's all a matter of know how and this could be said for most SIEM's to a degree. I so happen to like OSSIM because of its *nix based root. This allows me to do things like create ssh session keys, create rules on the fly and have those rules pushed to other machines.

Has anyone ever used the SIEM (NitroView Enterprise Security Manager (ESM)) or QRadar? It seems like SIEM can help get an organization SAS70 certified. It was noted that "SIEM gives you a true picture of how your network is being used, and by whom. It independently monitors your network to verify security policies, to generate alerts for possible compliance breaches, and to analyze and report on network performance" but has it ever overwhelmed anyone here with false positives?

I've actually looked at a couple of solutions including ArcSight and RSA. They both have similar capabilities, but the downside to both of these is the cost. I'm currently testing out a vendor named HAWK Security Network Defense which has the same, if not more custom/correlating capabilities. One of my friends referred me to them. So far I've been pleased with their proof of concept, and price wise, they're not event half of what the others cost. Hope this helps.

I use Splunk daily. It is very intuitive once you get it installed and running. I am still running version 3 b/c you don't get alerts with the free version of 4.*, so what I am about to say may not be the case with the most up to date version, but it can be a little slow depending on your configuration. I have Splunk reading roughly 1200-2000 files worth of syslog data, and it takes anywhere from 5 mintues to 20 minutes for an event to show up in the interface. So, its not "real-time" and it doesn't do correlation like ArcSight, but its a great option if you don't have the money that ArcSight costs...

Just an observation for the folks that are debating between the tools that are commonly viewed as the top tier (Arcsight, envision, etc) and "the others". The top tier systems will be costly out of the box, but if your organization doesn't have heavy technically skilled resources in house it might be worth it. The platform vendors spend a significant amount of time and energy trying to make their systems "plug and play". They'll have modules/plug-ins that will make them work with most conceivable devices (OSs, network devices, vulnerability scanners, GRC, etc) so they are easier to roll out and maintain. The "other" systems can be just as capable and powerful, but they can be a bit more involved in getting fully deployed and functional especially in large enterprise environments. For organizations that have the proper staff this can be feasible, but for folks that try to do SIEM on the cheap with a staff of security generalists they can be playing with fire.

Last edited by pseud0 on Wed Sep 08, 2010 8:14 pm, edited 1 time in total.